Uploaded image for project: 'WildFly Common'
  1. WildFly Common
  2. WFCOM-66

New XML Factories with Restriction of XML External Entity Reference (XXE)

    XMLWordPrintable

Details

    • Enhancement
    • Resolution: Done
    • Major
    • 1.6.0.Final
    • 1.5.3.Final
    • None

    Description

      As discussed on Zulip multiple modules inside WildFly-Core, WildFly and maybe other components shall prevent from XXE. Currently some codepoints use a native javax.xml.parsers.DocumentBuilderFactory or javax.xml.stream.XMLInputFactory. Restriction of XML External Entity Reference is lacking.

      Fix:

      • Provide factories setting secure defaults (here)
      • Use the new factories at relevant places WFCORE-5594

      Related to:

      The approach is to try to set/activate the relevant properties and log a warning if the underlying Factory does not support the property. The log shall appear only once (per classloader).

      Attachments

        Issue Links

          is related to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) WFCOM-70 Additional XML Factories with Restriction of XXE

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Pull Request Sent

          Activity

            People

              Unassigned Unassigned
              xf01213 Boris Unckel (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: